Changes coming with Strong Customer Authentication

Two-factor authentication and SCA will mean some adjustments in e-commerce.


September 14 was a red-letter day for online retailers. Because that Saturday following DMEXCO marks a change that will bring sweeping changes for European online retailers and their customers. It is the date that Strong Customer Authentication (SCA) goes into effect. Under the Directive, online payments can only be processed using a second, additional authentication factor (also known as Two-Factor Authentication*).

So where a credit card number was once all that was required to pay for an order placed online, soon customers will have to have at least two of three factors at hand to complete an online purchase, order a concert ticket or conclude a contract with a streaming service. There are three groups of characteristics:

  1. something the customer knows (such as a password or PIN)
  2. something a person has in his or her possession (such as a smartphone) or
  3. something that the customer can inherently do him- or herself (biometric features such as a fingerprint, the iris or the customer’s own face).

Greater protections against online fraud

Legislators decided to tighten legislation (EU-wide, incidentally) not as a way of annoying retailers and customers but in order to improve security when paying and to make things significantly harder for fraudsters. Even though almost each individual element has some vulnerability (a smartphone can be lost, a password can be spied on and even a fingerprint can be secretly copied), combining different security features significantly boosts the effort to prevent fraud in online commerce. The European Central Bank estimates that credit card fraud alone already causing some EUR 1.3 billion in damage every year.

“Strong customer authentication is certainly no less complex than the GDPR"

Guillaume Princen

Guillaume Princen, Head of Business for Continental Europe at payment service provider Stripe, describes the scope of the innovation. “Strong customer authentication is certainly no less complex than the GDPR,” he explains “National regulators interpret the EU’s overarching Directive differently. Card networks and banks have established their own rules and guidelines as well. There are also significant exceptions, because SCA is not always required.”

Ralf Gladis, founder and Managing Director of payment service provider Computop, also sees the new rules in a positive light: “Strong Consumer Authentication (SCA) requirements will offer retailers and consumers better protections against fraud in the future.” At the same time, the expert also warns retailers of the impacts: “If buyers then have to go to great lengths to authenticate themselves in two ways, this can lead to order cancellations and poor conversion.”

How retailers can keep conversion rates up

One thing is already clear today: Shopping online is apt to be somewhat more complicated for the customer. This poses a risk to retailers that the number of purchase cancellations will increase and that sales will be lost as a result. The only complicated new wrinkle for retailers is one-time implementation. The main idea behind this is to ensure that a retailer’s online shop effectively deploys 3D Secure 2.0 and transmits additional data. With this protocol, a bank can carry out a risk assessment and spare its customers from having to go through two-factor authentication.

Apart from that, however, you can only strongly advise every retailer to optimize and unbuckle the digital checkout zone – in the interest of keeping conversion rates high. More than ever before, the customer must find it as convenient as possible to place an order. Smaller retailers in particular will be unable to solve this without the cooperation of their payment service provider (PSP), in many cases assisted by the provider of the respective shop software as well. The good news is that both PSPs and shop systems have had this topic on their agendas for months and provide appropriate workarounds in all known cases. The bad news is that it is now likely to be difficult to find a free slot at most eCommerce agencies that implement these changes.

But if you haven’t made the necessary changes to your web shop by the mid-September deadline, you’re not alone: According to a Stripe survey conducted in June, one eCommerce company in two expects to fail to meet the tight timetable. If you do not already do so, it may be worthwhile to feature direct-debit capability prominently – because in this case it is not the customer but the payee who initiated the payment transaction. And Ralf Gladis of Computop has another tip for retailers still struggling with the SCA: “Dealers should offer secured invoice purchase on account as an alternative, because it still works without SCA and is remains an extremely popular payment method, especially for German customers.”

The bottom line: SCA does not need to become an insurmountable barrier to retail

Strong Customer Authentication is a change that online retailers must now face. All in all, it can lead to fewer cases of fraud and does not necessarily have to impact conversion. Still, online retailers would do well to keep a closer eye than usual on purchase cancellations at the tail end of the customer journey, i.e. in the checkout zone, and should also offer solutions that, for legal reasons, are exempt from mandatory SCA requirements.


*The term “authentication” describes two different aspects of the process: a customer authenticates him- or herself and can also be authenticated by the system.

Do you still need help choosing the right shop system? Then you can download our free checklist here.

Download checklist for free